Discussion:
[cisco-voip] Digicert Wildcard certificates
Ian Anderson
2015-07-15 13:35:37 UTC
Permalink
Hi All,

I'm resurrecting an old thread from the deep, where Nate suggested using
DigiCert wildcard certificates for UC infrastructure.

I'm trying to use some of these for a Expressway MRA implementation, and am
struggling with the TLS-verification between the Expressway-E and
Expressway-C.

There are a few posts out there on 'tinternet that seem to suggest that
Wildcard certificates aren't supported, however Nate's post below indicated
that the digicert wildcards worked fine with expressway.

Before I put a permanent dent in this desk with my head, has anyone else
had success with Digicert wildcard certs in an Expressway MRA deployment?

Cheers

Ian
*> >* Use DIGICERT! You can get a wildcard cert from them, and use it
over and over. So you just generate the cert based on the CSR from
each app and it loads right in.
*> >* Works great on CUCM, CUC, CUP, & Expressway!
*
NateCCIE
2015-07-15 14:02:06 UTC
Permalink
Did you put all of your SANs in the digicert page?

I have this working on all of my expressway installs.

Sent from my iPhone
+1 801 718 2308
Post by Ian Anderson
Hi All,
I'm resurrecting an old thread from the deep, where Nate suggested using DigiCert wildcard certificates for UC infrastructure.
I'm trying to use some of these for a Expressway MRA implementation, and am struggling with the TLS-verification between the Expressway-E and Expressway-C.
There are a few posts out there on 'tinternet that seem to suggest that Wildcard certificates aren't supported, however Nate's post below indicated that the digicert wildcards worked fine with expressway.
Before I put a permanent dent in this desk with my head, has anyone else had success with Digicert wildcard certs in an Expressway MRA deployment?
Cheers
Ian
Use DIGICERT! You can get a wildcard cert from them, and use it over and over. So you just generate the cert based on the CSR from each app and it loads right in.
Works great on CUCM, CUC, CUP, & Expressway!
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
Ian Anderson
2015-07-15 14:18:18 UTC
Permalink
Post by NateCCIE
Did you put all of your SANs in the digicert page?
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(

Cheers

Ian
Heim, Dennis
2015-07-15 14:28:27 UTC
Permalink
I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat]<xmpp:***@wwt.com>[Phone]<tel:+13142121814>[video]<sip:***@wwt.com>
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Ian Anderson
Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates


On 15 July 2015 at 15:02, NateCCIE <***@gmail.com<mailto:***@gmail.com>> wrote:
Did you put all of your SANs in the digicert page?

I have this working on all of my expressway installs.
Hi Nate,

Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(

Cheers

Ian
Eric Pedersen
2015-07-15 15:08:17 UTC
Permalink
Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Heim, Dennis
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates

I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat]<xmpp:***@wwt.com>[Phone]<tel:+13142121814>[video]<sip:***@wwt.com>
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Ian Anderson
Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates


On 15 July 2015 at 15:02, NateCCIE <***@gmail.com<mailto:***@gmail.com>> wrote:
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,

Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(

Cheers

Ian


The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
Eric Pedersen
2015-07-15 16:51:21 UTC
Permalink
Good point. I spoke too soon: we use wildcard certificates on VCS-E and WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard certificates either but everything seems to work provided the hostnames are configured as SANs. CUCM might be the same with the multi-server certificate but I haven’t tried.

From: Anthony Holloway [mailto:avholloway+cisco-***@gmail.com]
Sent: 15 July 2015 10:43 AM
To: Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates

I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard<http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard>, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/<https://tools.cisco.com/bugsearch/bug/CSCta14114/>, wild card certs are not supported. Are we talking about the same thing here?

On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <***@bennettjones.com<mailto:***@bennettjones.com>> wrote:
Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net<mailto:cisco-voip-***@puck.nether.net>] On Behalf Of Heim, Dennis
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP

Subject: Re: [cisco-voip] Digicert Wildcard certificates

I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat][Phone]<tel:+13142121814>[video]
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Ian Anderson

Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates


On 15 July 2015 at 15:02, NateCCIE <***@gmail.com<mailto:***@gmail.com>> wrote:
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,

Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(

Cheers

Ian


The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe<http://www.bennettjones.com/unsubscribe>
_______________________________________________
cisco-voip mailing list
cisco-***@puck.nether.net<mailto:cisco-***@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<https://puck.nether.net/mailman/listinfo/cisco-voip>


The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
Heim, Dennis
2015-07-15 18:16:26 UTC
Permalink
If you have not seen the Cisco Live session on collab security I would definitely recommend it. It had some good discussion on certificates. Based on that Wildcard certs will never be supported on CUCM and the like and are frowned upon within the security community.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat]<xmpp:***@wwt.com>[Phone]<tel:+13142121814>[video]<sip:***@wwt.com>
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: Eric Pedersen [mailto:***@bennettjones.com]
Sent: Wednesday, July 15, 2015 12:51 PM
To: Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
Subject: RE: [cisco-voip] Digicert Wildcard certificates

Good point. I spoke too soon: we use wildcard certificates on VCS-E and WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard certificates either but everything seems to work provided the hostnames are configured as SANs. CUCM might be the same with the multi-server certificate but I haven’t tried.

From: Anthony Holloway [mailto:avholloway+cisco-***@gmail.com]
Sent: 15 July 2015 10:43 AM
To: Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates

I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here?

On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <***@bennettjones.com<mailto:***@bennettjones.com>> wrote:
Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net<mailto:cisco-voip-***@puck.nether.net>] On Behalf Of Heim, Dennis
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP

Subject: Re: [cisco-voip] Digicert Wildcard certificates

I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.

Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
[twitter]<https://twitter.com/CollabSensei>
[chat][Phone]<tel:+13142121814>[video]
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper

Click here to join me in my Collaboration Meeting Room<https://wwt.webex.com/meet/dennis.heim>

From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Ian Anderson

Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates


On 15 July 2015 at 15:02, NateCCIE <***@gmail.com<mailto:***@gmail.com>> wrote:
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,

Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.

1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(

Cheers

Ian


The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
cisco-***@puck.nether.net<mailto:cisco-***@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
Justin Steinberg
2015-07-15 19:02:05 UTC
Permalink
To Dennis' point you don't have to put DNS=mycollab.com in the SAN. There
is an alternative to use DNS=collab-edge.mycollab.com

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf

[image: Inline image 1]
Post by Heim, Dennis
If you have not seen the Cisco Live session on collab security I would
definitely recommend it. It had some good discussion on certificates. Based
on that Wildcard certs will never be supported on CUCM and the like and are
frowned upon within the security community.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
[image: chat][image: Phone] <+13142121814>[image: video]
“There is a fine line between Wrong and Visionary. Unfortunately, you have
to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 12:51 PM
*To:* Anthony Holloway; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* RE: [cisco-voip] Digicert Wildcard certificates
Good point. I spoke too soon: we use wildcard certificates on VCS-E and
WebEx Meeting Server only. IIRC VCS officially doesn’t support wildcard
certificates either but everything seems to work provided the hostnames are
configured as SANs. CUCM might be the same with the multi-server
certificate but I haven’t tried.
*Sent:* 15 July 2015 10:43 AM
*To:* Eric Pedersen; Heim, Dennis; Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
wild card certs are not supported. Are we talking about the same thing
here?
Digicert lets you put your domain and subdomains of any level as SANs.
It’s great! They even generated a duplicate certificate for me with a
different root CA that was supported with WebEx enabled Telepresence. We
use their wildcard certificates on all of our UC servers.
Of *Heim, Dennis
*Sent:* 15 July 2015 8:28 AM
*To:* Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting
the domain as a san such as DNS=mycollab.com. Has anyone found any
providers that are kosher with that? From one of the Cisco Live sessions, I
was told this is needed for service discovery to function properly.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
[image: chat][image: Phone] <+13142121814>[image: video]
“There is a fine line between Wrong and Visionary. Unfortunately, you have
to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 10:18 AM
*To:* NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
NateCCIE
2015-07-16 01:35:30 UTC
Permalink
Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers. The application would need to be able to upload a private key and not require its own CSR.

Cucm, unity cxn, uccx, do not support uploading a private key.

Expressway, I think conductor do allow you to upload a private key.

But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase.

You can do this from what I understand an unlimited times.

There may be other CAs that do this. I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert.

Digicert with the Willard includes the *.domain.com and domain.com SANs automatically, and you can specify about 15 other SANs for each CSR/cert.

So cucm and the other apps are happy because the cert was generated using its own CSR.

Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via im&p. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use domain.com and not DOMain.com and life is happy.

I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away!

Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?

Sent from my iPhone
Post by Heim, Dennis
I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here?
Post by Eric Pedersen
Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.
Dennis Heim | Emerging Technology Architect (Collaboration)
World Wide Technology, Inc. | +1 314-212-1814
<image002.png><image003.png><image004.png>
“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA
2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
Ian Anderson
2015-07-19 10:27:25 UTC
Permalink
Hi Nate,

I think that the concern of using wildcards generaly comes from the
security and compliance folks in that if the private key of any of the
servers was to be compromised then the resulting public and private keys
could be used to impersonate any subdomain, e.g e-payments.domain.com..

That said, as long as the customer is aware of the risk then the digicert
is a fantastic option, although a lot of these issues go away in 10.5.

The only app I've had it completely throw a wobble on so far is UCCX 9.0 as
this was checking the CN on certificate upload and didn't like * even
though the server name as in the SAN.

Cheers

Ian
Post by NateCCIE
Most of the time wildcard certs mean you have a CSR and a private key
generated by something, and then you upload the private key and the public
key to lots of servers. The application would need to be able to upload a
private key and not require its own CSR.
Cucm, unity cxn, uccx, do not support uploading a private key.
Expressway, I think conductor do allow you to upload a private key.
But what makes digicert really cool is you can buy the wildcard cert, then
you keep reissuing a new certificate from that one purchase.
You can do this from what I understand an unlimited times.
There may be other CAs that do this. I saw one the seemed like it was
going to work, but since the CSR did not include the * as a SAN, they would
not issue the cert.
Digicert with the Willard includes the *.domain.com and domain.com SANs
automatically, and you can specify about 15 other SANs for each CSR/cert.
So cucm and the other apps are happy because the cert was generated using its own CSR.
Using these certs, I had one TAC case where cucm balked at the cert, but I
could upload the cluster wide tomcat SAN cert via im&p. This turned out to
be a problem with the domain casing not matching between all of the servers
and the cert. always use domain.com and not DOMain.com and life is happy.
I am not affiliated with digicert other than they are here in Utah also.
It just makes life really easy to tell the customer to buy this one cert
and O I can make all of the Cisco UC/jabber cert errors go away!
Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?
Sent from my iPhone
On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
wild card certs are not supported. Are we talking about the same thing
here?
Post by Eric Pedersen
Digicert lets you put your domain and subdomains of any level as SANs.
It’s great! They even generated a duplicate certificate for me with a
different root CA that was supported with WebEx enabled Telepresence. We
use their wildcard certificates on all of our UC servers.
Behalf Of *Heim, Dennis
*Sent:* 15 July 2015 8:28 AM
*To:* Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting
the domain as a san such as DNS=mycollab.com. Has anyone found any
providers that are kosher with that? From one of the Cisco Live sessions, I
was told this is needed for service discovery to function properly.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
<image002.png><image003.png> <+13142121814><image004.png>
“There is a fine line between Wrong and Visionary. Unfortunately, you
have to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 10:18 AM
*To:* NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
Charles Goldsmith
2015-07-20 16:18:27 UTC
Permalink
One thing of note, Digicert works very well with all of our UC apps with
their UC certificate. Add all of your server names as SAN's, as well as
the domain name, and just duplicate the certificate for each app, changing
the CN. It works well and also Digicert has great support.
Post by NateCCIE
Hi Nate,
I think that the concern of using wildcards generaly comes from the
security and compliance folks in that if the private key of any of the
servers was to be compromised then the resulting public and private keys
could be used to impersonate any subdomain, e.g e-payments.domain.com..
That said, as long as the customer is aware of the risk then the digicert
is a fantastic option, although a lot of these issues go away in 10.5.
The only app I've had it completely throw a wobble on so far is UCCX 9.0
as this was checking the CN on certificate upload and didn't like * even
though the server name as in the SAN.
Cheers
Ian
Post by NateCCIE
Most of the time wildcard certs mean you have a CSR and a private key
generated by something, and then you upload the private key and the public
key to lots of servers. The application would need to be able to upload a
private key and not require its own CSR.
Cucm, unity cxn, uccx, do not support uploading a private key.
Expressway, I think conductor do allow you to upload a private key.
But what makes digicert really cool is you can buy the wildcard cert,
then you keep reissuing a new certificate from that one purchase.
You can do this from what I understand an unlimited times.
There may be other CAs that do this. I saw one the seemed like it was
going to work, but since the CSR did not include the * as a SAN, they would
not issue the cert.
Digicert with the Willard includes the *.domain.com and domain.com SANs
automatically, and you can specify about 15 other SANs for each CSR/cert.
So cucm and the other apps are happy because the cert was generated using its own CSR.
Using these certs, I had one TAC case where cucm balked at the cert, but
I could upload the cluster wide tomcat SAN cert via im&p. This turned out
to be a problem with the domain casing not matching between all of the
servers and the cert. always use domain.com and not DOMain.com and life
is happy.
I am not affiliated with digicert other than they are here in Utah also.
It just makes life really easy to tell the customer to buy this one cert
and O I can make all of the Cisco UC/jabber cert errors go away!
Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?
Sent from my iPhone
On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
wild card certs are not supported. Are we talking about the same thing
here?
On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <
Post by Eric Pedersen
Digicert lets you put your domain and subdomains of any level as SANs.
It’s great! They even generated a duplicate certificate for me with a
different root CA that was supported with WebEx enabled Telepresence. We
use their wildcard certificates on all of our UC servers.
Behalf Of *Heim, Dennis
*Sent:* 15 July 2015 8:28 AM
*To:* Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting
the domain as a san such as DNS=mycollab.com. Has anyone found any
providers that are kosher with that? From one of the Cisco Live sessions, I
was told this is needed for service discovery to function properly.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
<image002.png><image003.png> <+13142121814><image004.png>
“There is a fine line between Wrong and Visionary. Unfortunately, you
have to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 10:18 AM
*To:* NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can
http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
NateCCIE
2015-07-21 12:16:23 UTC
Permalink
I think it’s 15 SANS plus *.domain.com and domain.com



Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm





From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Anthony Holloway
Sent: Monday, July 20, 2015 11:49 PM
To: Charles Goldsmith; Ian Anderson
Cc: Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates



That's great to hear about digicert. I just went through a rough time with Comodo trying to get multiserver certs and my CNAMEs in the SAN field. How many SAN entries does digicert limit you to and at what price per year?



On Mon, Jul 20, 2015 at 11:19 AM Charles Goldsmith <***@justfamily.org <mailto:***@justfamily.org> > wrote:

One thing of note, Digicert works very well with all of our UC apps with their UC certificate. Add all of your server names as SAN's, as well as the domain name, and just duplicate the certificate for each app, changing the CN. It works well and also Digicert has great support.



On Sun, Jul 19, 2015 at 4:27 AM, Ian Anderson <***@andersoi.co.uk <mailto:***@andersoi.co.uk> > wrote:

Hi Nate,



I think that the concern of using wildcards generaly comes from the security and compliance folks in that if the private key of any of the servers was to be compromised then the resulting public and private keys could be used to impersonate any subdomain, e.g e-payments.domain.com <http://e-payments.domain.com> ..



That said, as long as the customer is aware of the risk then the digicert is a fantastic option, although a lot of these issues go away in 10.5.



The only app I've had it completely throw a wobble on so far is UCCX 9.0 as this was checking the CN on certificate upload and didn't like * even though the server name as in the SAN.



Cheers



Ian



On 16 July 2015 at 02:35, NateCCIE <***@gmail.com <mailto:***@gmail.com> > wrote:

Most of the time wildcard certs mean you have a CSR and a private key generated by something, and then you upload the private key and the public key to lots of servers. The application would need to be able to upload a private key and not require its own CSR.



Cucm, unity cxn, uccx, do not support uploading a private key.



Expressway, I think conductor do allow you to upload a private key.



But what makes digicert really cool is you can buy the wildcard cert, then you keep reissuing a new certificate from that one purchase.



You can do this from what I understand an unlimited times.



There may be other CAs that do this. I saw one the seemed like it was going to work, but since the CSR did not include the * as a SAN, they would not issue the cert.



Digicert with the Willard includes the *.domain.com <http://domain.com> and domain.com <http://domain.com> SANs automatically, and you can specify about 15 other SANs for each CSR/cert.



So cucm and the other apps are happy because the cert was generated using its own CSR.



Using these certs, I had one TAC case where cucm balked at the cert, but I could upload the cluster wide tomcat SAN cert via im&p. This turned out to be a problem with the domain casing not matching between all of the servers and the cert. always use domain.com <http://domain.com> and not DOMain.com <http://DOMain.com> and life is happy.



I am not affiliated with digicert other than they are here in Utah also. It just makes life really easy to tell the customer to buy this one cert and O I can make all of the Cisco UC/jabber cert errors go away!



Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?

Sent from my iPhone


On Jul 15, 2015, at 10:42 AM, Anthony Holloway <avholloway+cisco-***@gmail.com <mailto:avholloway+cisco-***@gmail.com> > wrote:

I'm a little confused here. According to this article: http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard, and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/, wild card certs are not supported. Are we talking about the same thing here?



On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <***@bennettjones.com <mailto:***@bennettjones.com> > wrote:

Digicert lets you put your domain and subdomains of any level as SANs. It’s great! They even generated a duplicate certificate for me with a different root CA that was supported with WebEx enabled Telepresence. We use their wildcard certificates on all of our UC servers.



From: cisco-voip [mailto:cisco-voip-***@puck.nether.net <mailto:cisco-voip-***@puck.nether.net> ] On Behalf Of Heim, Dennis
Sent: 15 July 2015 8:28 AM
To: Ian Anderson; NateCCIE; Cisco VOIP


Subject: Re: [cisco-voip] Digicert Wildcard certificates



I’ve found the hardest thing to find a cert providers that likes putting the domain as a san such as DNS=mycollab.com. Has anyone found any providers that are kosher with that? From one of the Cisco Live sessions, I was told this is needed for service discovery to function properly.



Dennis Heim | Emerging Technology Architect (Collaboration)

World Wide Technology, Inc. | +1 314-212-1814 <tel:%2B1%20314-212-1814>

<https://twitter.com/CollabSensei>

<image002.png> <tel:+13142121814> <image003.png><image004.png>

“There is a fine line between Wrong and Visionary. Unfortunately, you have to be a visionary to see it." – Sheldon Cooper



<https://wwt.webex.com/meet/dennis.heim> Click here to join me in my Collaboration Meeting Room



From: cisco-voip [mailto:cisco-voip-***@puck.nether.net] On Behalf Of Ian Anderson


Sent: Wednesday, July 15, 2015 10:18 AM
To: NateCCIE; Cisco VOIP
Subject: Re: [cisco-voip] Digicert Wildcard certificates





On 15 July 2015 at 15:02, NateCCIE <***@gmail.com <mailto:***@gmail.com> > wrote:

Did you put all of your SANs in the digicert page?

z

I have this working on all of my expressway installs.

Hi Nate,



Thanks for the quick response, just for preservation in the archives for future posterity and confirmation that digicert seems fine despite the warnings in the manuals, it seemed I was running into 2 separate issues.



1) I had uploaded the intermediate cert, but needed to manually download and upload the root CA

2) That then got me past the TLS error, only to find that I had fat-fingered the hostname in the SAN field :-(



Cheers



Ian



The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested.

If you no longer wish to receive commercial messages, you can unsubscribe by accessing this link: http://www.bennettjones.com/unsubscribe

_______________________________________________
cisco-voip mailing list
cisco-***@puck.nether.net <mailto:cisco-***@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
Justin Steinberg
2015-07-21 15:24:29 UTC
Permalink
While we are on the topic of certs, has anyone had issues with certain CAs
not allowing top level domain as a SAN (e.g. cisco.com) ?

GoDaddy would complain in the UI that you shouldn't have a top level domain
as a SAN but would still sign the cert. I'm having a problem know with
Internet2/Incommon where it won't let me put a top level domain in the cert
as a SAN. It just won't take the CSR.

Justin
Post by NateCCIE
I think it’s 15 SANS plus *.domain.com and domain.com
Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm
Of *Anthony Holloway
*Sent:* Monday, July 20, 2015 11:49 PM
*To:* Charles Goldsmith; Ian Anderson
*Cc:* Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
That's great to hear about digicert. I just went through a rough time with
Comodo trying to get multiserver certs and my CNAMEs in the SAN field. How
many SAN entries does digicert limit you to and at what price per year?
One thing of note, Digicert works very well with all of our UC apps with
their UC certificate. Add all of your server names as SAN's, as well as
the domain name, and just duplicate the certificate for each app, changing
the CN. It works well and also Digicert has great support.
Hi Nate,
I think that the concern of using wildcards generaly comes from the
security and compliance folks in that if the private key of any of the
servers was to be compromised then the resulting public and private keys
could be used to impersonate any subdomain, e.g e-payments.domain.com..
That said, as long as the customer is aware of the risk then the digicert
is a fantastic option, although a lot of these issues go away in 10.5.
The only app I've had it completely throw a wobble on so far is UCCX 9.0
as this was checking the CN on certificate upload and didn't like * even
though the server name as in the SAN.
Cheers
Ian
Most of the time wildcard certs mean you have a CSR and a private key
generated by something, and then you upload the private key and the public
key to lots of servers. The application would need to be able to upload a
private key and not require its own CSR.
Cucm, unity cxn, uccx, do not support uploading a private key.
Expressway, I think conductor do allow you to upload a private key.
But what makes digicert really cool is you can buy the wildcard cert, then
you keep reissuing a new certificate from that one purchase.
You can do this from what I understand an unlimited times.
There may be other CAs that do this. I saw one the seemed like it was
going to work, but since the CSR did not include the * as a SAN, they would
not issue the cert.
Digicert with the Willard includes the *.domain.com and domain.com SANs
automatically, and you can specify about 15 other SANs for each CSR/cert.
So cucm and the other apps are happy because the cert was generated using its own CSR.
Using these certs, I had one TAC case where cucm balked at the cert, but I
could upload the cluster wide tomcat SAN cert via im&p. This turned out to
be a problem with the domain casing not matching between all of the servers
and the cert. always use domain.com and not DOMain.com and life is happy.
I am not affiliated with digicert other than they are here in Utah also.
It just makes life really easy to tell the customer to buy this one cert
and O I can make all of the Cisco UC/jabber cert errors go away!
Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?
Sent from my iPhone
On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
wild card certs are not supported. Are we talking about the same thing
here?
Digicert lets you put your domain and subdomains of any level as SANs.
It’s great! They even generated a duplicate certificate for me with a
different root CA that was supported with WebEx enabled Telepresence. We
use their wildcard certificates on all of our UC servers.
Of *Heim, Dennis
*Sent:* 15 July 2015 8:28 AM
*To:* Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting
the domain as a san such as DNS=mycollab.com. Has anyone found any
providers that are kosher with that? From one of the Cisco Live sessions, I
was told this is needed for service discovery to function properly.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
<image002.png><image003.png> <+13142121814><image004.png>
“There is a fine line between Wrong and Visionary. Unfortunately, you have
to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 10:18 AM
*To:* NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
Justin Steinberg
2015-07-21 21:55:12 UTC
Permalink
Ya sorry I meant the parent domain.

The issue ended up being that the Incommon wasn't setup right. Their 800
tech support fixed it in like 40 seconds which was pretty cool.

I believe the 10.5 systems add the parent domain, or maybe it is just
Multiserver certs.

Justin
Justin,

TLDs are like .com, .net, .org , etc. I think you meant parent domain.

Also, is that a feature of the multiserver cert, because I don't see CER
for example putting the parent domain in the CSR.
Post by Justin Steinberg
While we are on the topic of certs, has anyone had issues with certain CAs
not allowing top level domain as a SAN (e.g. cisco.com) ?
GoDaddy would complain in the UI that you shouldn't have a top level
domain as a SAN but would still sign the cert. I'm having a problem know
with Internet2/Incommon where it won't let me put a top level domain in the
cert as a SAN. It just won't take the CSR.
Justin
Post by NateCCIE
I think it’s 15 SANS plus *.domain.com and domain.com
Pricing is at https://www.digicert.com/wildcard-ssl-certificates.htm
Behalf Of *Anthony Holloway
*Sent:* Monday, July 20, 2015 11:49 PM
*To:* Charles Goldsmith; Ian Anderson
*Cc:* Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
That's great to hear about digicert. I just went through a rough time
with Comodo trying to get multiserver certs and my CNAMEs in the SAN field.
How many SAN entries does digicert limit you to and at what price per year?
One thing of note, Digicert works very well with all of our UC apps with
their UC certificate. Add all of your server names as SAN's, as well as
the domain name, and just duplicate the certificate for each app, changing
the CN. It works well and also Digicert has great support.
Hi Nate,
I think that the concern of using wildcards generaly comes from the
security and compliance folks in that if the private key of any of the
servers was to be compromised then the resulting public and private keys
could be used to impersonate any subdomain, e.g e-payments.domain.com..
That said, as long as the customer is aware of the risk then the digicert
is a fantastic option, although a lot of these issues go away in 10.5.
The only app I've had it completely throw a wobble on so far is UCCX 9.0
as this was checking the CN on certificate upload and didn't like * even
though the server name as in the SAN.
Cheers
Ian
Most of the time wildcard certs mean you have a CSR and a private key
generated by something, and then you upload the private key and the public
key to lots of servers. The application would need to be able to upload a
private key and not require its own CSR.
Cucm, unity cxn, uccx, do not support uploading a private key.
Expressway, I think conductor do allow you to upload a private key.
But what makes digicert really cool is you can buy the wildcard cert,
then you keep reissuing a new certificate from that one purchase.
You can do this from what I understand an unlimited times.
There may be other CAs that do this. I saw one the seemed like it was
going to work, but since the CSR did not include the * as a SAN, they would
not issue the cert.
Digicert with the Willard includes the *.domain.com and domain.com SANs
automatically, and you can specify about 15 other SANs for each CSR/cert.
So cucm and the other apps are happy because the cert was generated using its own CSR.
Using these certs, I had one TAC case where cucm balked at the cert, but
I could upload the cluster wide tomcat SAN cert via im&p. This turned out
to be a problem with the domain casing not matching between all of the
servers and the cert. always use domain.com and not DOMain.com and life
is happy.
I am not affiliated with digicert other than they are here in Utah also.
It just makes life really easy to tell the customer to buy this one cert
and O I can make all of the Cisco UC/jabber cert errors go away!
Ps. Has anyone figured out what to do with conductor wanting IP address in the SAN?
Sent from my iPhone
On Jul 15, 2015, at 10:42 AM, Anthony Holloway <
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/115957-high-level-view-ca-00.html#wildcard,
and this defect ID: https://tools.cisco.com/bugsearch/bug/CSCta14114/,
wild card certs are not supported. Are we talking about the same thing
here?
On Wed, Jul 15, 2015 at 10:08 AM Eric Pedersen <
Digicert lets you put your domain and subdomains of any level as SANs.
It’s great! They even generated a duplicate certificate for me with a
different root CA that was supported with WebEx enabled Telepresence. We
use their wildcard certificates on all of our UC servers.
Behalf Of *Heim, Dennis
*Sent:* 15 July 2015 8:28 AM
*To:* Ian Anderson; NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
I’ve found the hardest thing to find a cert providers that likes putting
the domain as a san such as DNS=mycollab.com. Has anyone found any
providers that are kosher with that? From one of the Cisco Live sessions, I
was told this is needed for service discovery to function properly.
*Dennis Heim | Emerging Technology Architect (Collaboration)*
World Wide Technology, Inc. | +1 314-212-1814
[image: twitter] <https://twitter.com/CollabSensei>
<image002.png><image003.png> <+13142121814><image004.png>
“There is a fine line between Wrong and Visionary. Unfortunately, you
have to be a visionary to see it." – Sheldon Cooper
Click here to join me in my Collaboration Meeting Room
<https://wwt.webex.com/meet/dennis.heim>
*Sent:* Wednesday, July 15, 2015 10:18 AM
*To:* NateCCIE; Cisco VOIP
*Subject:* Re: [cisco-voip] Digicert Wildcard certificates
Did you put all of your SANs in the digicert page?
z
I have this working on all of my expressway installs.
Hi Nate,
Thanks for the quick response, just for preservation in the archives for
future posterity and confirmation that digicert seems fine despite the
warnings in the manuals, it seemed I was running into 2 separate issues.
1) I had uploaded the intermediate cert, but needed to manually download
and upload the root CA
2) That then got me past the TLS error, only to find that I had
fat-fingered the hostname in the SAN field :-(
Cheers
Ian
The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication, e-mail
communications may be vulnerable to interception by unauthorized parties.
If you do not wish us to communicate with you by e-mail, please notify us
at your earliest convenience. In the absence of such notification, your
consent is assumed. Should you choose to allow us to communicate by e-mail,
we will not take any additional security measures (such as encryption)
unless specifically requested.
If you no longer wish to receive commercial messages, you can unsubscribe
by accessing this link: http://www.bennettjones.com/unsubscribe
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
_______________________________________________
cisco-voip mailing list
https://puck.nether.net/mailman/listinfo/cisco-voip
Loading...